Security Market Segment LS
Monday, 04 November 2019 16:04

Supply chain attacks becoming more commonplace: claim

By
Sophos principal research scientist Chester Wisniewski Sophos principal research scientist Chester Wisniewski

Improvements in patching hygiene have led criminals to divert their attention away from browsers and turn instead to supply chain weaknesses, according to a security vendor.

When people talk about supply chain security, "our mind always goes to the spy story," but the "James Bond worthy" claim by Bloomberg – that malicious chips had been fitted to Supermicro motherboards* supplied to US companies and government agencies – is "a distraction," Sophos principal research scientist Chester Wisniewski told iTWire.

There are many types of supply chain attacks that are really happening, he said, and they all prey on organisation's inherent trust of their suppliers.

For example, 22 municipalities in Texas were hit in one night by ransomware via a service provider they all used, and a similar thing happened to more than 400 dental practices in the US.

If an attacker successfully phishes just one employee at a service provider, that can put all of the company's clients at risk.

Another opportunity for attackers is opened up through bespoke software development and deployment.

Pre-built Docker containers are widely reused, for instance when setting up web servers. "We have blind faith in these containers [and associated software]," Wisniewski said, so criminals are booby-trapping them.

Similarly, extensive use is made of certain open source libraries, giving attackers another route for covertly introducing malicious code into otherwise legitimate applications.

"This has always been a problem with open source," he said.

The trick, Wisniewski suggested, is for an attacker to identify a library that isn't being actively maintained.

In one case, he said, an attacker spotted two inactive libraries within the very popular Node.js JavaScript runtime, and successfully volunteered to take them over. According to reports, bitcoin-stealing code was added to one library, and went undetected for two months.

Such libraries do not need to be very widely used in order to be a worthwhile target: an "audience" of 10,000 users is sufficiently attractive, he said.

That's just two types of supply chain attack. But what steps can organisations take to protect themselves?

Phishing attacks can be effectively eliminated by using two-factor authentication, so it makes sense to ensure that your service providers are using 2FA.

The code and container problem isn't so easy to deal with.

Sophos uses a lot of outside libraries, Wisniewski said, and has adopted a two-step strategy to minimise the associated risks.

Firstly, it carries out a code audit before adopting a new version of a library. That's not a simple task, but should be within the capabilities of developers who use that library.

Secondly, it only adopts new versions that address specific, relevant vulnerabilities. Criminals generally promote feature updates rather than security updates, he observed.

This significantly reduces the number of audits required. If you only take two updates a year, you can afford the time required, he suggested.

In the wake of the long-standing Heartbleed flaw in OpenSSL, some big companies invested in auditing the most commonly used libraries and packages, so criminals find smaller targets so their changes are less likely to be noticed, according to Wisniewski.

When it comes to containers, you could build your own in the time it takes to audit the contents of a prefabricated container, so that is his recommended approach.

In one case, there was nothing wrong with a malicious container apart from the fact that a criminal had installed their own SSH key, allowing them to log into any instance of that container.

"It's a difficult challenge," he said.

While there are some centralised distribution points (eg, Docker for containers and Github for open source projects), large organisations seem reluctant to reveal whether any particular version has passed their audit process, possibly fearing reputational loss if someone discovers an issue they overlooked.

However, cloud services such as AWS and Azure are heavily audited and employ some of the best security people in the world, so it makes sense to use their libraries and containers, Wisniewski suggested.

He drew a parallel with the way some of the major app stores vet software before releasing it: "we know they're not perfect... but they're pretty darned good."

Another advantage of app stores is that they provide a central point where a piece of software found to be malicious can be 'recalled'.

Improved patching habits mean that where browsers were once exploited in around 80% of attacks, that has now fallen to approximately 10%, so criminals are turning to other approaches.

"Most of us are hit by opportunistic attacks" rather than being specifically identified, he said, so making sure you're not an easy target substantially reduces the chance of being affected.

It's the old story: if your doors are locked and your neighbours' aren't, you're less likely to be burgled even though locks don't provide 100% protection.

Similarly, countermeasures against supply chain exploits generally aim to increase criminals' cost of doing business by eliminating or at least greatly reducing the number of easy targets.

 

* Although the Bloomberg claim has been widely discredited, last month a security researcher revealed a proof of concept that showed how less than US$200 worth of equipment could be used to fit a US$2 chip to a Cisco firewall in order to take remote control of the device.

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments